By Paul R. Bergeron III — March 2015
Headlines during the past year about credit card and personal information being hacked from information databases have some consumers a bit on edge about making financial transactions online.
In response, apartment owners and management companies are focusing more on their residents’ credit-card payment experience. They must, they say, because many believe that the perk of allowing residents to pay their rent online with their credit cards has become expected.
While the public focuses more on greater ways to protect personal information by crafting indecipherable passwords, the information technology (IT) staff at apartment communities are paying more attention to their supplier-partners’ safeguards and how liability is defined in their contracts.
Can’t Recall Your Password?
Among the new payment security innovations are near-field communication (NFC) chips and EMV chip-and-PIN. Another is double-authentication—a process whereby the user has to enter two different security tokens, usually a password and a code received by text message to log into a site. In turn, consumers’ reactions are fickle: Peace of mind about knowing their information is being better protected, and aggravation, based on the need to create and remember yet another log-in password.
Andrew Marshall, Senior Vice President and Chief Information Officer, Campus Apartments, says two-factor authentication works in the apartment owners’ favor. But he adds that requiring residents to perform another step in the online payment process could be a turn-off.
“Creating ‘friction’ for residents who choose to pay their rent online could lead them back to paying via personal check, which takes time away from onsite staff who could be dealing with other, non-clerical tasks,” Marshall says.
“You want to create a feeling of comfort with the payee (resident) and the process. And let’s be realistic: Requiring something like double-authentication is not going to make the residents’ information any more secure from the kinds of breaches that have been making the headlines recently, where the company’s security has been breached, not the customers’.”
Alliance Residential owns or manages approximately 71,000 units over 290 communities. The company’s Vice President of Technology Scott Pechersky says he is a big proponent of the idea of multifactor authentication, but requiring it could be seen as a burden to residents.
“Our goal as a company is to identify ways to simplify processes for our users and residents,” says Pechersky. “[Alternatively], we are researching a single sign-on product that does not require a second form of authentication; unfortunately, the concern is that it also makes things less secure. As of now, Alliance is only utilizing multifactor authentication on banking sites that require it. We don’t have any plans on implementing it elsewhere.”
Marshall further says that paying rent via ACH is no more secure than a credit card. “Almost all of the customers’ information is printed right on the check, anyway. As with credit cards, once you hand that over, how much control over that information does the consumer (resident) have when it’s in the retailer’s hands?”
Although every consumer should be aware of risks and take steps to secure their own personal information, Marshall says that professional hackers aren’t that interested in collecting information one customer at a time.
“They’re interested in collecting information in massive swaths that can be sold to the highest bidder,” he says. “The way that hackers are gaining access to this information is through the backdoor—where a company’s transaction information is stored. That’s usually with a payment vendor or a merchant processor. That’s where apartment owners need to be focused. They need to make sure that their vendors are doing what is necessary and that the vendor is liable, not the owner.”
No one contacted for this article was aware of any breaches incurred by any apartment owners or managers, as self-reported or through any of their residents.
Get It In Writing
When owners contract with outside vendors to do credit-card processing, “or frankly any sort of information technology/information security process, they need to clearly draft the contract so that security obligations and expectations are spelled out,” says Brian E. Finch, Partner, Pillsbury Winthrop Shaw Pittman LLP, Washington, D.C., a guest columnist for The Wall Street Journal on the topic last year. “[Payment Card Industry or PCI] standards are part of it, but there are many other layers involved. There is not enough of that going on right now.
“Such language can take any number of forms,” he wrote. “For instance, when entering into a services agreement with a cloud security provider, a CIO should make sure the contract sets forth who is responsible for securing data in motion, data at rest and what controls will be used to prevent the lateral spread of malware. Further, the obligations should be couched in specific language, not broad statements. References made to ‘industry best practices’ or ‘reasonable efforts’ are insufficient and too vague to do any good. If nothing else, they will lead to expensive litigation to determine what exactly they mean.”
Marshall says if the property owner is “eating” the discount percentage charged by the card company, typically around 2 percent for Visa and MasterCard, he says, then they’ll want to discourage cards, not encourage them.
“Some owners charge a convenience fee, but you have to be careful to stay in compliance,” Marshall says. “ACH is where everyone wants to be, rather than cards. It’s cheap for everyone, and less chargeback problems.”
Dan Gillean, Executive Consultant, NWP Services, says the percent of his company’s clients’ residents who pay rent by credit card is only about 5 percent because of convenience fees that some apartment communities place on residents.
Online payment of rent by credit card is growing in popularity. Property Solutions says that 100 percent of its clients accept and process both credit cards and ACH payments through their onsite property management software.
Allen Ingram, Chief Technology Officer, Associated Estates, says that, coincidentally, he met early last fall with a cyber security expert from PriceWaterhouseCoopers. Associated Estates operates 54 apartment communities containing 13,964 units located in eight states.
“We as a property management company do not store any of our resident banking or credit card information within our four walls,” Ingram says.
That step alone is crucial, industry sources say.
“All of that data is secured through SaaS providers, so we are only as good as they are,” Ingram says. “If they are compromised, the headlines may call them out, but we are ultimately responsible.”
Ingram says this starts with ensuring that they are PCI compliant.
“There was a time when companies just asked about compliance, and then checked the box that says they did so,” Ingram says. “Today, it’s imperative to take it many steps further and ensure your vendors have cyber security and incident-response plans in place by asking if they have tested them and whether you have a copy.
I doubt they would let you take a tour of the inner workings of their data center, but it doesn’t hurt to ask. It’s important to your organization to be more direct with your vendors to ensure measures are in place and followed.”
For example, Ingram says what complicated things for Target retail stores last year with its highly publicized breach was that while it did have a plan and tools in place, it wasn’t necessarily following or paying attention to them.
“We learned later that they (Target) were getting alerts and warnings about the breach, but nobody was paying attention and they didn’t act,” Ingram says.
Apartment companies, particularly smaller-sized ones, should contract with large financial institutions to do their credit card processing, Gillean says.
“Chase, Bank of America, First Data and others that are actively in the business on a full-time basis can provide the type of security that is recommended and required,” he says.
“What we are seeing with the major breaches reported in the news is that the thieves are not interested in a single transaction’s information, or even a small batch. They are looking for ways to gain the information of say 50,000 transactions.”
MasterCard and Visa announced Feb. 13 that each plans to invest in greater cyber security. Their pilot programs later this year will use a combination of biometrics, such as facial and voice recognition and fingerprint matching, to authenticate and verify transactions.
Protect This (In) House
Bill Szczytko, IT Executive, Maryland Management, is in charge of a 9,300-unit portfolio, which accepts online payment for application fees (but not for rent) via credit cards through its internal system. It also processes ACH payments from its own resident portal. He recognizes the risk and challenges this approach presents.
“Our decisions, including using the Cloud, came after doing a lot of research about the best ways to approach this,” Szczytko says.
“We store zero pieces of credit card information on our servers. We require that all numbers be shredded and destroyed after their use. Nothing is stored anywhere for multiple uses. This was vital to the whole thing. No one has access to our server rooms as they are locked during all hours. Our administrator password is extremely complicated. I should know; I often mistype it.”
For its online credit card transactions, all information is uploaded to Maryland Management’s merchant bank, “where we only receive a token which we can use to process data,” he says.
“All passwords are salted and hashed. We force our employees to change their passwords every 180 days, which isn’t stringent yet, but it represents one of the baby steps our company is taking to be more secure.”
Still, that doesn’t make Maryland Management invincible, Szczytko says. “If hackers want it, they will get it.”
As for consumers, Szczytko believes that ultimately they will understand that common sense will help them protect their personal information.
“It starts with good passwords,” he says. “A password eight or more characters in length, includes a capital letter, a lower-case letter, a symbol and a number is not going to get ‘cracked’ because studies show that it generally takes password-cracking software 200 or more years to pull this off.”
NWP does not store any of the residents’ personal data as defined by PCI requirements. Names and addresses are kept, but no credit card, Social Security numbers or banking information is stored.
One national software firm that provides online payment services says that firms who store transaction information on paper whether onsite or in a storage facility also must be concerned with theft.
Offering a Wi-Fi hotspot is an amenity that residents appreciate, but property owners and managers should be aware that allowing access to an unsecured Wi-Fi that ties into a management office network creates significant security risk and greatly increases exposure to hacking and data theft, says Michael Mullin, President, Integrated Business Systems (IBS), Totowa, N.J.
“At a minimum, multifamily operators should set up a guest network and encrypt their existing network with Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2),” Mullin says. “These security protocols are designed to protect wireless computer networks. For additional security, turn off the ‘SSID broadcast’ on the private Wi-Fi network. That way, when visitors search for Wi-Fi access, the network will not show up on their ‘available networks’ screen.”
As a best practice, Mullin says to set up a separate wireless access point for dedicated resident use.
“This is the most secure option and will keep private business information safe from anyone using the public Wi-Fi hotspot,” he says.
Pew Research reported in September 2013 that 11 percent of Internet users say that they have had important personal information stolen such as their Social Security Number, credit card or bank account information. The survey is based on phone interviews conducted in April that year.
Paul R. Bergeron III is Director of Publications for NAA and can be reached at 703-797-0606.